Atlassian's popular HipChat tool was hacked

Australian tech giant Atlassian has urged HipChat users to reset their password after the popular workplace chat app was hacked.

In an email to users and a blog post, the company’s chief security officer Ganesh Krishnan said a “security incident” was detected on a server that serves the HipChat cloud over the weekend .

“We believe this incident may have resulted in unauthorised access to content from the HipChat.com service,” said Krishnan, adding that the attacker may have accessed user account information including names, emails and a disguised form of the password.

“For a small number of instances (less than 0.05%), messages and content in rooms may have been accessed. We are contacting and will work closely with these customers.”

People were urged to immediately reset their HipChat password and also change it on other sites if they used the same one.

Krishnan assured that no financial information was vulnerable, there was “no evidence” of other Atlassian systems or products affected by the intrusion and that the company was “confident” the problem has been isolated and resolved.

The advisory page stated that affected HipChat servers include “a version of Crowd that has a version of the Apache Struts 2 library that is vulnerable to CVE-2017-5638“. Krishnan said an investigation into the resultant intrusion was continuing.

“Atlassian is actively working with law enforcement authorities on the investigation of this matter,” he said.